We currently are running samba 2.0.6 in "security = user" mode with
unencrypted passwords. We did this because people have had Unix logins
for years and I can't make up an smbpasswd file without knowing all
their passwords.
I would like to transition to a PDC mode. However, I want to use a
different system acting only as the PDC (and netlogin, etc.) server
with the current samba server using the new system as the PDC.
On current system (samba 2.0.6 -- though I will upgrade to 2.0.7) the
smb.conf file contains:
[global]
workgroup = Ulticom
server string = Spike
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = no
Correct me if I wrong, but I think I need to do this:
After change on original system:
[global]
workgroup = Ulticom
server string = Spike
local master = no
os level = 65
domain master = no
prefered master = no
domain logon = no
encrypt passwords = yes
security = server
password server = chuckie
And on new system (I was going to use 2.2 from CVS for this):
[global]
workgroup = Ulticom
server string = chuckie
os level = 65
domain logons = yes
unix password sync = true
encrypt passwords = yes
...
Now, here's the question:
Is there a way I can transition? I would like to start collecting the
contents of smbpasswd on "spike" for a week then copy it to
"chuckie"
and then "turn on" PDC control. I don't really want to have to
ask everyone to write down their passwords and then type them all
in. If I create an smbpasswd file on spike will it just start collecting?
If I ask everyone to change their passwords will that do it?
--
Gary Algier, WB2FWZ gary.algier@ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
This space intentionally left blank by the censors.
Gary Algier wrote:> > Now, here's the question: > > Is there a way I can transition? I would like to start collecting the > contents of smbpasswd on "spike" for a week then copy it to "chuckie" > and then "turn on" PDC control. I don't really want to have to > ask everyone to write down their passwords and then type them all > in. If I create an smbpasswd file on spike will it just start collecting? > If I ask everyone to change their passwords will that do it?Check out the "update encrypted" parameter in smb.conf. Here is a quote from the man page This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) password in the smbpasswd file to be updated automatically as they log on. This option allows a site to migrate from plaintext password authentication (users authenticate with plaintext password over the wire, and are checked against a UNIX account database) to encrypted password authentication (the SMB challenge/response authentication mechanism) without forcing all users to re-enter their passwords via smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted passwords to be made over a longer period. Once all users have encrypted representations of their passwords in the smbpasswd file this parameter should be set to "off". In order for this parameter to work correctly the "encrypt passwords" parameter must be set to "no" when this parameter is set to "yes". Note that even when this parameter is set a user authenticating to smbd must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) passwords. -- =====================================================================Herb Lewis Silicon Graphics Networking Engineer 1600 Amphitheatre Pkwy MS-510 Strategic Software Organization Mountain View, CA 94043-1351 herb@sgi.com Tel: 650-933-2177 http://www.sgi.com Fax: 650-932-2177 ======================================================================